Who thought it was a good idea to block two, and sometimes three lanes in
front of Moscone during one of the biggest tech conferences of the year? Of all
the idiotic... but that's another story.

It's easy to blow off late-in-the-day events at tech shows, but I stuck
around today for what was billed as ''The Bill Joy Panel on Software Security.''
It was held at the W Hotel, and it was well worth the wait.

Sponsored by Fortify Software, the panel focused on what I have been convinced is the industry's
core security challenge: the applications themselves. It included Dr. Bill Pugh,
professor of computer science at the U of Maryland and founder of FindBugs
; Dr. David Wagner,
prof of computer science at UC Berkeley; and Dr. Gary McGraw, CTO of Cigital and author of Software
Security: Building Security In
(great book). Fortify's young chief scientist, Dr. Brian
Chess, was slated for moderator duties, but the new dad arrived late, so CTO
Roger Thornton manned the lectern. Fortunately, Chess joined the panel.

But it was Joy—Sun
Microsystems' co-founder and chief scientist, rockstar
programmer, co-designer of three microprocessor architectures [SPARC, picoJava,
and MAJC], and augur of a frightening future (Hey, who wasn't scared by
that Wired story about the rise of the robots?)—who was the panel's
star attraction. Joy told me that this would be his only stop at this year's
JavaOne, and he remained cheerfully unaffected by opening jibes from the panel
and the audience about his hair.

Everyone on the panel agreed that modern developers must accept greater
responsibility for security, and they offered the following bits of
security-guru wisdom for Java jocks:

McGraw: ''When I began writing about security back in 2000,
we were just trying to establish a philosophy, to get the message across that
software builders need to think about security. We're past philosophy now. We've
got to start talking about simple, concrete things that developers need to do to
make their applications more secure, and we've got to start holding them
accountable if they don't do those things. We can do it. The time has come.''

Thornton: ''We can focus on security strategies that try to
catch the things out there attacking our software—firewalls, intrusion
detection, antivirus—or we can make our software stronger so that those things
can't harm it. The software that's out there today was made without an awareness
of current vulnerabilities. But from this day forward, if there is a single
development team anywhere on earth that's making code that'll be accessed by
more than 12 of their best friends and they don't build it to stand up to
attacks, they are either incredibly ignorant or completely negligent.''

Pugh: ''A lot of people think that errors, defects, and
stupid mistakes are sins that the lesser programmers commit. But I have used
automatic tools to find insanely embarrassing bugs written in production code by
some of the very best programmers out there. People think that because they have
'smart' employees and good a development process that they're not going to have
stupid bugs. But everyone makes stupid mistakes. They just happen. The question
is, what are you do to find and eliminate them.''

Wagner: He cited some disturbing (though not that
surprising) statistics: 80% of home users' computers are infected with spyware;
the mean time to infection of an XP-based machine taken out of the box and added
to an unprotected network is 15 minutes. ''It's clear that the hackers are
getting better at exploiting vulnerabilities than we are at defending against
attacks. We're loosing the security battle right now. We're falling behind, and
we need to step up our game.''

Chess: He offered a
corollary to his favorite Bill Joy quote (''Most of the smart people in the
world don't work for you.'') ''Most of the smart people in the world might not
even be on your side!
If you think about
what hackers are going to do to your software, they're basically going to test
it for weaknesses—essentially the same thing you do when you test it. The
difference is, they have more clock cycles to do that with than you do. You have
to release your software, and then it's out there, potentially forever. So, if
you use the same techniques that the bad guys are using to attack your software,
inevitably you are going to lose. You've got to do something different. You've
got to build your software in a way that takes that advantage away from the
attackers.''

Joy: ''It's important to know which things are abundant and
to use them to make up for the things that are scarce. What's abundant right now
is processor speed and memory; what's scarce is the ability to get to what I
used to call the it-works option—to actually finish and debug code. So it seems
to me that we should be using languages and tools that let us produce more
reliable and secure software, over things that might run a little faster and
take up less memory.''

AJAX is the buzzword of this year's show, so I asked the panel members what they thought of increasingly
popular combo of Asynchronous JavaScript and XML. They gave the new Web
development technique a collective raspberry. Wagner summed it up this way:
''JavaScript is a disaster from a security point of view, but we're stuck with
it at this point. AJAX means more JavaScript, which is just going to perpetuate
the problem.'' Chess added: ''I see shifting to more lines of JavaScript as
revisiting a bunch of security problems that we've been trying to stamp down
over the past 20 years.''

They did allow that JSR 223, which seeks to improve interoperability between
Java and scripting languages, held some hope.

I hate to admit it, but my favorite part of that discussion came when Joy took responsibility
for naming JavaScript, a vexing misnomer of Netscape's implementation of
ECMAscript, which has little in common with Java. ''The Netscape guys called me on the
phone when I was in San Francisco on a family outing,'' he said
ruefully. ''They were in a panic, and they wanted to use the name. I
wasn't thinking when I said yes.''

Before the panel convened, I button-holed Fortify's VP
of products, Mike Armistead. Fortify is one of two stand-alone security firms with
booths at this year's show (the other is Symantec), and it's the only
one focused on application security. Armistead thinks the new emphasis on enterprise
Java is making Java jocks more security-minded. ''We're getting a lot of
leads,'' Armistead told me. ''If we had been here last year, I think people
would have just blown by the booth. But this year, they're coming up to us and
saying, we really need to talk with someone about security.''

That's good news.

BTW: Check out Gary McGraw's Silver Bullet Podcast interview
with Avi Rubin, professor of computer science and technical director of the
information security institute at Johns Hopkins University. Rubin is the guy who
revealed the glitches in the Diebold electronic voting machines back in '03.

I'm off now to get a look at the chunk that sunk—and impeded traffic all day!

More tomorrow.

###

About the Author

John K. Waters is a freelance writer based in Silicon Valley. He can be reached
at john@watersworks.com.